8bab4ba0004cd3a627a59e3877ec92ebff143a4810667b042e57ce168cf44e39

General

Target

r12d12.space_b.txt.ps1
Size

1KB
MD5

35c92f4cd446344a166cbf83dbf0ff15
SHA1

e06f98c2f5f82eab44226937d5ce29600f407dcf
SHA256

8bab4ba0004cd3a627a59e3877ec92ebff143a4810667b042e57ce168cf44e39
SHA512

63128bbe01c0123b5131ed863759dfc19f036dfb53f2d62e15b24f5f3c1df2c8391f48881919741e599c4c922e95b9f7395b9da15d40b7e3655358a9832296da

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	1304	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1304	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1304	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1304	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 2436	1304	powershell.exe	31
PID 1304 wrote to memory of 2436	1304	powershell.exe	31
PID 1304 wrote to memory of 2436	1304	powershell.exe	31
PID 2436 wrote to memory of 3020	2436	csc.exe	32
PID 2436 wrote to memory of 3020	2436	csc.exe	32
PID 2436 wrote to memory of 3020	2436	csc.exe	32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\r12d12.space_b.txt.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pictnjl6.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB6D2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB6D1.tmp"
    3⤵
    PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB6D2.tmp

Filesize
1KB

MD5
a0d1bc96833f3fc998b9cf1191b0f47d

SHA1
aa3b08f05626a67f6425d7087bb97a49a8df45ac

SHA256
8c231c5cc07b6fd7e733b774a299bde1e0e0497c45073c313b6c52b3fa719ba2

SHA512
e91e751a134295ada4d62a6ed3935a4c15c88961ad67d3ea1aff4f70845b5be5f59ff8984c0e459dd7f776644ab21cddb0ab97c5df37788a172a4eb8bc7cbcd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pictnjl6.dll

Filesize
3KB

MD5
da666ae331b70de03d72d5e40927c9ab

SHA1
353376206c900ee17e53f6fef65d8d5bf6f03958

SHA256
5f62b01f4c0f7a3fa20e6b4f587715328b51f86e96f2483bbafe70f39252364e

SHA512
2fea3b3eb68eef5f8f21459e37d8da7c9221406dada5c2bb1abd98a8c269e347725ca94f2f26f74a5a71cd845175713d08aae8616502750e43b36138c2d9f558

Download Submit
C:\Users\Admin\AppData\Local\Temp\pictnjl6.pdb

Filesize
7KB

MD5
65544dfb065e9165fb8913be03f87295

SHA1
3c1571ae8e627d6980d869096822c7f08318ac76

SHA256
370bf475ac4a6461addd4fe4bcd02fe85824519b80333d2f2246074a04ed88b6

SHA512
b3152db1083ddb0bb85805fa040efa435d60fd6ba9a6f498f7f38cbde0cb18d84050e06e377774f29b4d270e2e48f42505202043d16cdd5efa977142b2dca37d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB6D1.tmp

Filesize
652B

MD5
667db96acdf6db2db1c794131e85147f

SHA1
c9ebccfa546eeee272906560131deedddcf5a7f7

SHA256
75761cbdd82416269e1cbcd4a8cdb710b1cd1439333626c45a4c7a12ea7be49c

SHA512
7275fa38694e233dd9b9febd59186eb1d5a5483307b2a1d09fb611136e738ce47c643834ecbd314d6ee650fa67dcb62a6362553313959f4567233c6866cf5986

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pictnjl6.0.cs

Filesize
267B

MD5
23153877f0e70049d7f366448cc220bc

SHA1
2851269291a02ad0c7b60cb6ff7395bd1a20c659

SHA256
d7ed9035e9940848f250a57fb4f99e509e3fc50e4b5cb7be13c7ffb4787508ac

SHA512
82f29b8507abed31d15c2cb892c338debe6a2538c6be2c6741fb9c8afe76d26c43ec8b7060c37b1f91d1c475581e3bb816033bd09389d3973349a3b6e17af1a1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pictnjl6.cmdline

Filesize
309B

MD5
5476f0a791a5b3dde75b5f3d5f91a239

SHA1
6ee398cbf96ccbf5a752fcf32b28b8a4593df698

SHA256
c59abbd06cebbc921ed8c3bdd6ec0cfd22514845c044bdfbdf5428f7327fe670

SHA512
7acf6c7f591bab7eb1059159eb6e2489030246529498e8fd64558f06dc9f9f82806c65ea7e6df3831adbdfb95014c963a2a7f58d4115ced1592ec06bf95a9056

Download Submit
memory/1304-8-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

Filesize
9.6MB

Download
memory/1304-12-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

Filesize
9.6MB

Download
memory/1304-4-0x000007FEF5DBE000-0x000007FEF5DBF000-memory.dmp

Filesize
4KB

Download
memory/1304-7-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

Filesize
9.6MB

Download
memory/1304-5-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/1304-25-0x0000000002AE0000-0x0000000002AE8000-memory.dmp

Filesize
32KB

Download
memory/1304-6-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/1304-31-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

Filesize
9.6MB

Download
memory/2436-15-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

Filesize
9.6MB

Download
memory/2436-23-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing